Logstash error "out of range for an integer"

Elastic Stack Logstash
1

Getting this error on logatsh-plain.log

[2024-04-10T13:22:24,797][WARN ][logstash.outputs.elasticsearch][geoip][2a0f384086e1f5f8eba88bc1849f4a5149188de0fdacb6e00d827adfb445e001] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-syslog-2024.04.10", :routing=>nil}, {"message"=>"<189>date=2024-04-10 time=16:22:23 devname="SIN" devid="F3211" eventtime=1712755342941122066 tz="+0300" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="SINFGFWCORP" srcip=10.XX.XX.1 srcport=7635 srcintf="npu0_vlink1" srcintfrole="undefined" dstip=10.XX.XX.20 dstport=514 dstintf="SIN" dstintfrole="wan" srccountry="Reserved" dstcountry="Reserved" sessionid=2763 proto=17 action="accept" policyid=3 policytype="policy" poluuid="b2d647ea-f912-51eb-5107-61d7234edaa0" policyname="Root VDOM - Fortiguard access" service="SYSLOG" trandisp="snat" transip=10.XX.XX.11 transport=7635 appid=16283 app="Syslog" appcat="Network.Service" apprisk="elevated" applist="g-default" duration=1426684 sentbyte=24592153638 rcvdbyte=0 sentpkt=24543119 rcvdpkt=0 shapingpolicyid=5 shapingpolicyname="SEEF to SINDC Traffic" shapersentname="guarantee-25Mb" shaperdropsentbyte=0 shaperrcvdname="guarantee-25Mb" shaperdroprcvdbyte=0 sentdelta=2482165 rcvddelta=0 durationdelta=144 sentpktdelta=2517 rcvdpktdelta=0", "observer_hostname"=>"SIN", "application_risk"=>"elevated", "@timestamp"=>2024-04-10T13:22:24.534Z, "tag1"=>"fortigatekv", "destination_packets"=>"0", "event_severity"=>"notice", "event_duration"=>"1426684", "Inputtag"=>"syslog", "destination_ip"=>"10.XX.XX..20", "event_created"=>"2024-04-10T16:22:23.000Z", "observer_ingress_zone"=>"wan", "destination_bytes"=>"0", "source_bytes"=>"24592153638", "virtual_domain_name"=>"SI", "network_protocol"=>"UDP", "observer_name"=>"Fortigate", "observer_egress_zone"=>"undefined", "destination_port"=>"514", "source_port"=>"7635", "source_interface"=>"npu0_vlink1", "observer_product"=>"Fortigate Firewall", "event_action"=>"accept", "src_ip"=>"10.XX.XX.1", "src_hostname"=>"Server", "source_nat_port"=>"7635", "event_log_size"=>1044, "source_packets"=>"24543119", "source_nat_ip"=>"10.XX.XX.1", "application_list"=>"g-default", "@version"=>"1", "engine_id"=>"1554", "observer_ip"=>"10.XX.XX.1", "event_log_count"=>1, "config_version"=>"v7.1", "policy_id"=>"3", "observer_type"=>"Firewall", "log_type"=>"traffic", "clientkey"=>"ProACT", "fingerprint"=>"8b261b40f08eb2ad974269b9064fc937", "event_category"=>"forward", "observer_vendor"=>"Fortigate", "observer_category"=>"Firewall", "network_application"=>"Syslog", "engine_log_id"=>"0000000020", "network_service"=>"SYSLOG", "destination_interface"=>"SINFS-V252", "source_ip"=>"10.198.250.1", "policy_name"=>"Root VDOM - Fortiguard access", "application_category"=>"Network.Service", "event_start"=>"1712755342941122066", "observer_id"=>"FG4H1ETB21900708", "application_id"=>"16283"}], :response=>{"index"=>{"_index"=>"logstash-syslog-2024.04.10", "_type"=>"_doc", "_id"=>"mKIsyI4BV74eTaBKhYF-", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [source_bytes] of type [integer] in document with id 'mKIsyI4BV74eTaBKhYF-'. Preview of field's value: '24592153638'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Value [24592153638] is out of range for an integer"}}}}}
q^C

2

Most likely [source_bytes] is mapped as an integer in elasticsearch. That can contain values from -2^31 to 2^31-1 (+ or - 2 billion). A number over 24 billion cannot be contained in that.

Change the mapping of the index to make source_bytes a long rather than an integer. You will need to re-index the data into the index with the new mapping.